Marking back to triaged. While https://juju.ubuntu.com/Charms states "your charm should then be looked at in a timely manner" it doesn't state the process that is used to review the charm. There is process there for people to get their charm reviewed, but that is different. This bug is about having something like the ARB or MIR requirements for charm reviewers.

The point of the bug is that there is a set of guidelines for reviewers to follow and to make sure that charms are written well and don't introduce security holes. Eg: http://jujucharms.com/charms/oneiric/phpmyadmin/config has a default passphrase and http://jujucharms.com/charms/oneiric/phpmyadmin/hooks/install has 'chown -R www-data:www-data /var/www'. What is the signoff procedure here? Is the default password guaranteed to be changed on install? Are there configuration files in /var/www that should not be chowned to www-data:www-data to prevent abuse? (ie, often config files in webapps are owned by root so if www-data is under attacker control, there is still some protection). Where are the comments for such review/sign-offs listed?

To be clear, while it would be good to see the phpmyadmin issues above addressed, they aren't this bug-- I used them as examples of why charms should have a review process. Included in that review process should be some sort of documentation trail so that someone looking at them for the first time can have questions answered.